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DETAILED ACTION 

1. Applicant's arguments and amendments with respect to amended claims 1, 18, and 36-38, 
previously canceled claims 3 and 21, and presently pending claims 1-2, 4-20, and 22-39 have 
been considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-2, 4-9, 19-20, 22-27, and 37-38 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Bunker, V et al. (herein after Bunker) Pub. No.: US 2003/0028803 Al in view 
of Berstis et al. (herein after Berstis) USPN 6,549,972 Bl. 

Regarding claims 1,18 and 36, Bunker discloses a method/program product/system for 

detecting modifications to risk assessment scanning caused by an intermediate device, 
comprising: 

(a) initiating a risk assessment scan at and on a target from a remote source utilizing a 
network (0015 and 0093; remote source/Command Engine initiating assessment test 
remotely on the target 1002)] 

(b) determining whether the risk assessment scan at and on the target involves an intermediate 
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device coupled between the target and the remote source (0129 and 0095-0101; risk 
assessment ... 557/, NMAP ... determimng/detecting IP spoofer/umuthorized 
intermediate host); 

(c) receiving results of the risk assessment scan from the target utilizing the network (0083; 
Command Engine receiving risk assessment test results from target computer remotely); 
and 

(d) notifying an administrator if it is determined that the risk assessment scan at and 
on the target involves the intermediate device (0126, 01 15; PortSentry Tool,,, alerts 
administrators to unsolicited probes ... spoofing, malicious attacks, denial of attack made 
by intermediate host during target risk assessment), wherein additional operations are 
carried out to improve a risk assessment at and on the target in view of the presence of 
the intermediate device coupled between the target and the remote source (0095, 0126, 
0163, and 0171; Command Engine reacting,,, for test results received from target 
computers,.. performing new scan 516... CGI-scanner, whisker, cgichk, mesalla, port 
scanner, nmap, udpscan netcat,,, ping tracer oute, slayer ICMP, sending warning 
alert... for security measures and/or to improve risk assessment scan); 

wherein a plurality of procedures are utilized to determine whether the risk ' 
assessment scan involves the intermediate device (0095-0101 and 0129; multiple 
procedures are performed to determine IP spoofer/unauthorized intermediate host 
between the target node and Command Engine device... port scanner, whisker 
scanner.,,). 
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Banker discloses remotely initiating risk assessment scans and performing risk 
assessment scans at and on the target and detecting malicious attacker node or spoofer 
intermediate host pretending to be the existing router by modifying IP address of the 
existing router for the messages exchanged between the initiator device/Command 
Engine and target device (0129 and 0095-0101). Banker fails to explicitly describe the 
involvement of the intermediate device as Applicant repeatedly argued. 

However Berstis teaches detecting a snooper intermediate device that modifies 
and/or coimterfeits messages by intercepting the communications exchanged between 
communication device and gateway (col. 5 lines 25-39). 

Therefore it would have been obvious to one ordinary skill in the art at the time of 
the invention was made to modify the teachings of detecting the involvement of 
intermediate device that intercepts the messages exchanges between two nodes within the 
system of Bunker because it would detect and identify the router if the router modifies the 
risk assessment result messages exchanged between the remote initiator and target device. 
One would have been motivated to do so because it would allow providing an accurate 
risk assessment result without the router modifying the proper assessment results sent 
from the target node to remote initiator. 

Regarding claims 37 and 38, Bunker discloses a method/program product for detecting 
modifications to risk assessment scanning caused by a proxy server, comprising: 
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(a) initiating a risk assessment scan at and on a target, fiom a remote source utilizing a networic (001 5 
and 0093; remote source/Command Engine initiating assessment test remotely on the 
target 1002); 

(b) executing a plurality of procedures to determine whether the risk assessment scan at and on 
the target involves a proxy server coupled between the target and the remote source (0095- 
0101 and 0129; multiple procedures are performed to determine IP spoofer/unauthorized 
intermediate host between the target node and Command Engine device.., port scanner, 
whisker scanner ...)\ 

(c) said procedures utilizing a plurality of parameters selected from the group consisting of 
an ip_ttl flag, a tcp-win flag, a via tag, and a host header value {Examiner takes an 
official notice for limitation (c) as Applicant admits ipjtl flag, and tcpjwin flag as a well 
known (see, Applicant 's Admitted Prior Art/ AAP A/disclosure page 9 par. 4-page 10 par. 
2), It would have been obvious to one having ordinary skill in the art at the time of the 
invention was made to employ the teachings of AAP A within the system of Bunker 
because it would allow to determine unauthorized (intermediate) device by comparing 
the values of the flags. Data is sent to different nodes and tag values are compared. If the 
tag values are different identify the new node); 

(d) receiving results of the risk assessment scan from the target utilizing the network (0083 ; 
Command Engine receiving risk assessment test results from target computer remotely); 

(e) flagging the results of the risk assessment scan if at least one pf the procedures indicates that 
the risk assessment scan involves a proxy server coupled between the target and the remote 
source (0126 and 0100); and 
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(Q notifying an administrator if the results of the risk assessment scan at and on the target are 
flagged (0126, 01 15; PortSentry Tool,., alerts administrators to unsolicited probes ... 
spoofing, malicious attacks, denial of attack made by intermediate host during target risk 
Assessment); 

wherein additional operations are carried out to improve a risk assessment at and on the target 
in view of the presence of the proxy server coupled between the target and the remote source 
(0095, 0126, 0029, 0163, and 0171; Command Engine reacting,., for test results 
received from target computers performing new scan 516... CGI-scanner, whisker, 
cgichk, mesalla, port scanner, nmap, udpscan net cat... ping traceroute, slayer ICMP, 
sending warning alert upon detection of... a spoof er node pretending to be the existing 
router by modifying IP address of the existing router ...for more security measures 
and/or to improve risk assessment scan). 

Banker discloses remotely initiating risk assessment scans and performing risk 
assessment scans at and on the target and detecting malicious attacker node or spoof er 
intermediate host pretending to be the existing router by modifying IP address of the 
existing router for the messages exchanged between the initiator device/Command 
Engine and target device (0129 and 0095-0101). Banker fails to explicitly describe the 
involvement of the intermediate device as Applicant repeatedly argued. 

However Berstis teaches detecting a snooper intermediate device that modifies 
and/or counterfeits messages by intercepting the commvmications exchanged between 
communication device and gateway (col. 5 lines 25-39). 
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Therefore it would have been obvious to one ordinary skill in the art at the time of 
the invention was made to modify the teachings of detecting the involvement of 
intermediate device that intercepts the messages exchanges between two nodes within the 
system of Bunker because it would detect and identify the router if the router modifies the 
risk assessment result messages exchanged between the remote initiator and target device. 
One would have been motivated to do so because it would allow providing an accurate 
risk assessment result without the router modifying the proper assessment results sent 
from the target node to remote initiator. 

Regarding claims 2, 19-20, and 39, Bunker and Berstis further discloses the method/program 
product, wherein the intermediate device includes a router/proxy server (Bunker 0129, and Berstis 
col. 5 lines 25-39). 

Regarding claims 4, and 22, Bunker further discloses the method/program product, wherein at 
least one of the procedures includes determining a port list associated with the risk assessment 
(0095-0102; nmap, udpscan, net cat port scanners) . 

Regarding claims 5, and 23, Bunker further discloses the method/program product, wherein the at 
least one of the procedures further includes determining whether a value of a flag is different for 
communication attempts using at least two ports on the port Ust (0098-0103 and 0126). 
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Regarding claims 6, and 24, Bunker and Berstis disclose all the subject matter as disclosed 
above. AAPA discloses the method/program product, wherein the flag includes an ip ttl flag 
(Examiner takes official notice as Applicant admits ip_ttl flag is well known (see, Applicant 's 
Admitted Prior Art/AAPA/disclosure page 9 par, 4-page 10 par, 2)), The rational for combining 
are the same as claim 37 above. 

Regarding claims 7, and 25, Bunker and Berstis disclose all the subject matter as disclosed 
above. AAPA discloses further discloses the method/program product, wherein the flag includes a 
tcp_win flag (Examiner. takes official notice as Applicant admits tcp_win flag is well known (see, 
Applicant's Admitted Prior Art/AAPA/disclosure page 9 par, 4-page 10 par, 2)), The rational for 
combining are the same as claim 37 above. 

Regarding claims 8, and 26, Bunker further discloses the method/program product, wherein the 
communications include connection attempts between the remote source and the target utilizing the 
network (fig. 9). 

Regarding claims 9, and 27, Bunker further discloses the method/program product, wherein the at 
least one of the procedures further includes indicating that the risk assessment scan involves the 
intermediate device if the value of the flag is different for the communication attempts using the at 
least two ports on the port Ust (0098-0103 and 0129). 
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4. Claims 15-17 and 33-35 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Bunker, V et al. (herein after Bunker) Pub. No.: US 2003/0028803 Al in view of Berstis et al. 
(herein after Berstis) USPN 6,549,972 Bl, and ftirther in view of Miles et al. (Miles, Patent No.: 
US 6,886,044 Bl). 

As per claims 15, and 33, Bunker and Berstis disclose all the subject matter as described above. 
Bunker and Berstis do not disclose a method/program, wherein at least one of the procedures 
includes transmitting a request without specifying a host header value. 

However Miles discloses displaying an error message when unidentified/unknown header 
value is received (col. 23 lines 66-col. 24 lines 17). 

Therefore it would have been obvious to one having ordinary skill in the art at the time of 
the invention was made to modify the teachings of Miles within the system of Bunker and 
Berstis because it would identify the node that has unknown header value. 

Regarding claims 16, and 34, Bunker and Berstis and Miles teach all the subject matter as 
described above. In addition Miles teaches a method/program, wherein the at least one of the 
procedures further includes identifying an error message in response to the request (col. 23 lines 
66-col. 24 lines 17). 

Regarding claims 17, and 35, Bimker and Berstis and Miles teach all the subject matter as 
described above. In addition Bunker and Berstis further discloses the method/program product, 
wherein the at least one of the procedures includes indicating that the risk assessment scan involves the 
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intermediate device if the response includes the error message (Bunker 0129 and Berstis (col. 5 lines 
25-39). 

Allowable Subject Matter 

5. Claims 10-14 and 28-32 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of the 
base claim and any intervening claims. 

Conclusion 

6. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed imtil after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 
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7. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Eleni A. Shiferaw whose telephone number is 571-272-3867. 
The examiner can normally be reached on Mon-Fri 8:00am-5 :00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system^ Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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